From dbbfb5911e3e69e264a8e4ea86db49392f9cbb8f Mon Sep 17 00:00:00 2001
From: Marek Paśnikowski <marek@marekpasnikowski.pl>
Date: Thu, 20 Nov 2025 19:28:30 +0100
Subject: deployment: implement build offloading from aisaka to rakan

* deployment/keys.scm (aisaka-guix):
  define signing key of Guix daemon in aisaka.

* deployment/systems/aisaka.scm (rakan-machine, guix-offload-rakan, offload-rakan):
  define the offload target.

* deployment/systems/aisaka.scm (system):
  add the offload configuration to the list of services.

* deployment/systems/rakan.scm (guix-offload-authorizations):
  change the authorized signing key to aisaka's.

* deployment/users.scm (openssh-configuration):
  add the public SSH key of marek@aisaka.
---
 deployment/keys.scm           | 11 +++++++++--
 deployment/systems/aisaka.scm | 23 +++++++++++++++++++++++
 deployment/systems/rakan.scm  |  2 +-
 users/id1000.scm              |  1 +
 4 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/deployment/keys.scm b/deployment/keys.scm
index ec67b00..85e2e64 100644
--- a/deployment/keys.scm
+++ b/deployment/keys.scm
@@ -4,16 +4,23 @@
 (define-module (deployment keys)
   #:use-module (guix gexp))
 
+(define-public aisaka-guix
+  (mixed-text-file "aisaka-signing-key.pub"
+                   "(public-key\n"
+                   "  (ecc\n"
+                   "    (curve Ed25519)\n"
+                   "    (q #983CD313090D2699AD26AE5CB589A29F24A32E247A41EB4F4A22D196DFCD9D3C#)))"))
+
 (define-public mcdowell-guix
   (mixed-text-file "mcdowell-signing-key.pub"
                    "(public-key\n"
                    "  (ecc\n"
                    "    (curve Ed25519)\n"
-                   "      (q #FDA720ED167E05AB735182D887A450DCD534A85F2697DE421E49CA043FC01E4D#)))"))
+                   "    (q #FDA720ED167E05AB735182D887A450DCD534A85F2697DE421E49CA043FC01E4D#)))"))
 
 (define-public rakan-guix
   (mixed-text-file "rakan-signing-key.pub"
                    "(public-key\n"
                    "  (ecc\n"
                    "    (curve Ed25519)\n"
-                   "      (q #FDA720ED167E05AB735182D887A450DCD534A85F2697DE421E49CA043FC01E4D#)))"))
+                   "    (q #FDA720ED167E05AB735182D887A450DCD534A85F2697DE421E49CA043FC01E4D#)))"))
diff --git a/deployment/systems/aisaka.scm b/deployment/systems/aisaka.scm
index 6f82f9c..aa099c4 100644
--- a/deployment/systems/aisaka.scm
+++ b/deployment/systems/aisaka.scm
@@ -2,10 +2,13 @@
 ;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski <marek@marekpasnikowski.pl>
 
 (define-module (deployment systems aisaka)
+  #:use-module (guix gexp)
+  #:use-module ((deployment keys)             #:prefix deployment:keys:)
   #:use-module ((gnu bootloader)              #:prefix gnu:bootloader:)
   #:use-module ((gnu bootloader grub)         #:prefix gnu:bootloader:grub:)
   #:use-module ((gnu packages tls)            #:prefix gnu:packages:tls:)
   #:use-module ((gnu services)                #:prefix gnu:services:)
+  #:use-module ((gnu services base)           #:prefix gnu:services:base:)
   #:use-module ((gnu services dns)            #:prefix gnu:services:dns:)
   #:use-module ((gnu services version-control) #:prefix gnu:services:version-control:)
   #:use-module ((gnu services web)            #:prefix gnu:services:web:)
@@ -352,6 +355,25 @@
        (listen (list "192.168.10.2:443 ssl"))
        (server-name (list "radicale.marekpasnikowski.pl"))))))))
 
+(define rakan-machine
+  #~(build-machine
+    (name        "rakan")
+    (systems     (list "x86_64-linux"
+                       "i686-linux"))
+    (user        "marek")
+    (host-key    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxlIhNlkWCNA+l/RiOJztB+VWhuJtDTUvSwwlE3MpgJ root@rakan")
+    (private-key "/home/marek/.ssh/id_ed25519")))
+
+(define guix-offload-rakan
+  (gnu:services:base:guix-extension
+    (authorized-keys (list deployment:keys:rakan-guix))
+    (build-machines  (list rakan-machine))))
+
+(define offload-rakan
+  (gnu:services:simple-service 'offload-rakan
+                               gnu:services:base:guix-service-type
+                               guix-offload-rakan))
+
 (define (openssh)
   (use-modules (gnu services ssh))
   ((@ (gnu services) service)
@@ -405,6 +427,7 @@
               (gitolite)
               (sovereign:systems:guix-home-service (list users:id1000:name/home-environment))
               (nginx-izumi)
+              offload-rakan
               (openssh)
               (radicale)))
 
diff --git a/deployment/systems/rakan.scm b/deployment/systems/rakan.scm
index 0f03d65..6d2f244 100644
--- a/deployment/systems/rakan.scm
+++ b/deployment/systems/rakan.scm
@@ -64,7 +64,7 @@
 
 (define guix-offload-authorizations
   (gnu:services:base:guix-extension
-    (authorized-keys (list deployment:keys:mcdowell-guix))))
+    (authorized-keys (list deployment:keys:aisaka-guix))))
 
 (define guix-publish-configuration
   (gnu:services:base:guix-publish-configuration
diff --git a/users/id1000.scm b/users/id1000.scm
index 331eda2..0c6a0cf 100644
--- a/users/id1000.scm
+++ b/users/id1000.scm
@@ -544,6 +544,7 @@
       (l-akashi   (mixed-text-file "akashi-openssh-keys"
                                    "\n"))
       (l-marek    (mixed-text-file "marek-openssh-keys"
+                                   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4THTYnHCc/ihCJNKJtGTNu1zCnLndbMHnxnrxzJk+N marek@aisaka\n"
                                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzC1VvW6TB4pMuGyfTM36T7Ar7FZqSXc7kCoVDNwtUX marek@akashi\n"
                                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJew7ti1qr545Z6OUZ/xcNUg7ib6P0pTbSZqFpSvNhKU marek@mcdowell\n"
                                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBo2coChmWHQn9BEbp0dA7DQG7CPEweVcsmnaIVmXyR marek@rakan\n"))
-- 
cgit v1.2.3